SecretStore with Hashicorp Vault v1 vs v2

[Sartigan]

Hello,

End Goal
Ligthen the path (remoteRef.key) for users creating ExternalSecrets which always start with secret/data/k8s/${CLUSTER_NAME}

V1
It works properly, I can easily do this in my ClusterSecretStore

      server: "https://dev.vault.com:8200"
      path: "secret/data/k8s/mycluster"
      version: "v1"

ExternalSecret

  - secretKey: password
    remoteRef:
      key: mynamespace/secret_name
      property: data.password

This will fetch: secret/data/k8s/mycluster/mynamespace/secret_name which is exactly what we want.

V2
It does not work because the path will always append /data

      server: "https://dev.vault.com:8200"
      path: "secret/data/k8s/mycluster"
      version: "v2"

ExternalSecret

  - secretKey: password
    remoteRef:
      key: mynamespace/secret_name
      property: data.password

This will fetch secret/data/k8s/mycluster/data/mynamespace/secret_name (notice the extra /data in the middle)

Is there a way to use Vault V2 API while still avoiding k8s users to always enter the first part of the secret path: secret/data/k8s/${CLUSTER_NAME} ?

[gusfcarvalho]

Hi @Sartigan ! The main issue that I think it might happen is that if people specify a secret engine with data in the middle, cod-wise we wouldn't be able to tell the difference. So as of today we are not really trying to see if spec.path already contains a data in a v2 version.

I guess we could change it here and notify the users about incompatibility if their engine has a data in the middle ?

Probably need to test out impacts on that edge case to see if this is actually doable

[EricHorst]

I guess we could change it here and notify the users about incompatibility if their engine has a data in the middle ?

Probably need to test out impacts on that edge case to see if this is actually doable

It would be very hard to do this correctly without breaking things as it is very hard to guess where to put /data/ in all cases.

In the buildPath function ESO has already made the bad assumption that the kv2 mount point will not have slashes so it always puts the /data/ after the first path element. (len(origPath) < 2 || origPath[1] != "data") This is bad if the Vault mount is "cluster1/secret/" instead of "secret/". In the past I looked at the logic for placement of /data/ and it is complicated to fix this problem and also cover all the cases. I'd like it to not get worse so be careful.

Things work okay and is very natural when the ClusterSecretStore contains the common part of the path and the ExternalSecret contains the remainder. In this case ESO puts the /data/ between the two.

I suggest a solution to @Sartigan to not have the cluster name in the path after /data/. We give each cluster it's own Vault secret store (mountpoint). (Giving each a different mount increases security separation.)

My ClusterSecretStore looks like this:

      server: https://myvault.uw.edu
      path: cluster001/kv
      version: v2

And an ExternalSecret

  - secretKey: password
    remoteRef:
      key: mynamespace/secret_name
      property: data.password

The /data/ gets put properly between the path: and the key:, in this case "cluster001/kv/data/mynamespace/secret_name"

[gusfcarvalho]

In the buildPath function ESO has already made the bad assumption that the kv2 mount point will not have slashes so it always puts the /data/ after the first path element. (len(origPath) < 2 || origPath[1] != "data") This is bad if the Vault mount is "cluster1/secret/" instead of "secret/". In the past I looked at the logic for placement of /data/ and it is complicated to fix this problem and also cover all the cases. I'd like it to not get worse so be careful.

This is not a problem if vault mounts have multiple slashes, given that they are all put within the SecretStore's spec.path (origPath is the path from the ExternalSecrets, not the SecretStore mountpath). What I was thinking about was not necessarily to induce where to find the data, but if the data is provided in the SecretStore's spec.path, to consider as a valid endpoint and not to append data again. This will sure help most use cases.

The edge case that I wanted to express was that if someone has an engine path e.g. cluster1/data/secrets might have a problem that they cannot work around. (other than manually set the second data as well)

[githubcdr]

I'm facing similar issues that might be related to the /data path in Vault, combined with a defined path in a v2 Vault setup.

ss

spec:
  provider:
    vault:
      auth:
        tokenSecretRef:
          key: token
          name: vault-token
      path: io-whitelabel/data/testing
      server: https://vault
      version: v1 # v2 give syncerrors with the wrong path

es

spec:
  dataFrom:
  - extract:
      conversionStrategy: Default
      key: podinfo-service
  refreshInterval: 15s
  secretStoreRef:
    kind: SecretStore
    name: vault-backend
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: podinfo-service
    template:
      engineVersion: v2
      metadata:
        annotations:
          configmap.reloader.stakater.com/reload: podinfo-service
          secret.reloader.stakater.com/reload: podinfo-service
        labels:
          app: podinfo-service
          generator: external-secrets

secret

kind: Secret
apiVersion: v1
data:
  data: eyJTRU5ER1.....JJRCI6IWcifQ==
  metadata: eyJjcmVhdGVkX....aW9uIjoyNX0=
immutable: false

It looks like the dataFrom does not work in this setup, the secret does not contain the keys.

data: '{"SENDGRID":"1234","SENDGRID_KEY":"kjhdfgkjbdsfgndsfgnjksdfgsdgdsfgdfs"}
metadata: '{"created_time":"2022-07-05T06:59:51.956421034Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":25}'

Expectation

I expected external-secrets to extract the keys as described in the "multi keys from one secret example".

[gusfcarvalho]

Hi @githubcdr ! You can work around it by adding a property: data Right after the key field. Can you share the errors for the v2 setup?

[githubcdr]

Thanks! That did the trick for me, this was not easy to find in the docs :)

The v2 error

ss

spec:
  provider:
    vault:
      auth:
        tokenSecretRef:
          key: token
          name: vault-token
      path: io-whitelabel/data/testing
      server: https://vault
      version: v2
status:
  conditions:
  - lastTransitionTime: "2022-07-07T19:30:02Z"
    message: store validated
    reason: Valid
    status: "True"
    type: Ready

All seems ok here.

es

spec:
  dataFrom:
  - extract:
      conversionStrategy: Default
      key: podinfo-service
      property: data
  refreshInterval: 15s
  secretStoreRef:
    kind: SecretStore
    name: vault-backend
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: podinfo-service
    template:
      engineVersion: v2
      metadata:
        annotations:
          configmap.reloader.stakater.com/reload: podinfo-service
          secret.reloader.stakater.com/reload: podinfo-service
        labels:
          app: podinfo-service
          generator: external-secrets
status:
  conditions:
  - lastTransitionTime: "2022-07-08T10:40:53Z"
    message: could not get secret data from provider
    reason: SecretSyncedError
    status: "False"
    type: Ready
  refreshTime: "2022-07-08T10:40:38Z"
  syncedResourceVersion: 2-a7cc7c5e0d182e4f44aef08cab4987f8

the pod logs

{"level":"error","ts":1657277065.5236943,"logger":"controllers.ExternalSecret","msg":"could not get secret data from provider","ExternalSecret":"io-whitelabel-testing/podinfo-service","SecretStore":"io-whitelabel-
testing/vault-backend","error":"cannot read secret data from Vault: Error making API request.\n\nURL: GET https://vault/v1/io-whitelabel/testing/data/podinfo-service\nCode: 403. Errors:\n\n* 1 error occur
red:\n\t* permission denied\n\n","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controll
er/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:3
11\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:266\nsigs.k8s.io
/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:227"}

GET https://vault/v1/io-whitelabel/testing/data/podinfo-service

should be

GET https://vault/v1/io-whitelabel/data/testing/podinfo-service if I am correct?

[Sartigan]

You can ignore my request, I'm gonna go with @EricHorst's recommendation. This does not work with DataFrom who will append /metadata and that doesnt work with Vault's API.

Thanks for your replies and suggestions